GDPR Compliance Checklist
Answer 25 yes/partial/no questions across data inventory, consent management, subject rights, breach response, and third-party processors. Get a compliance score and download a full gap-analysis report.
GDPR Self-Assessment Checklist
0/25 questions answered · Score: 0/100
Data Inventory
Do you maintain a Record of Processing Activities (RoPA)?
A RoPA documents what personal data you process, why, who has access, and how long you keep it.
GDPR Article 30
Have you identified all sources where personal data enters your organisation?
Include websites, apps, CRMs, paper forms, phone calls, and third-party data purchases.
GDPR Article 30
Do you know which third parties receive personal data from your organisation?
Include analytics providers, email platforms, payment processors, cloud services, and contractors.
GDPR Article 28
Lawful Basis
Have you identified a lawful basis for every processing activity?
GDPR requires one of six bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
GDPR Article 6
Where you rely on consent, is it freely given, specific, informed, and unambiguous?
Pre-ticked boxes, bundled consent, and vague language all fail the GDPR consent standard.
GDPR Article 7
Have you documented your lawful basis for each processing activity?
Documentation must be kept internally and referenced in your privacy notice.
GDPR Article 5(2)
Privacy Notices
Do you provide a clear and accessible privacy notice to data subjects?
The notice must be written in plain language and explain who you are, what data you collect, why, and what rights users have.
GDPR Articles 13–14
Is your privacy notice updated when processing activities change?
You must update and re-communicate the notice whenever significant changes occur.
GDPR Article 13
Does your cookie banner allow users to reject non-essential cookies?
Accepting all cookies must not be the only or easiest option. Decline must be as easy as Accept.
GDPR Article 7 / ePrivacy
Data Subject Rights
Do you have a process to respond to Subject Access Requests (SARs) within 30 days?
You must provide a copy of all personal data held, free of charge, within one calendar month.
GDPR Article 15
Can you action Right to Erasure ("Right to be Forgotten") requests?
You must delete personal data when requested, unless a legitimate exemption applies (e.g. legal obligation).
GDPR Article 17
Can you provide data in a portable format (Right to Portability)?
When processing is based on consent or contract and is automated, you must export data in a machine-readable format (JSON, CSV).
GDPR Article 20
Do you log and track all data subject requests?
Maintain a register of requests, responses, and timelines to demonstrate compliance.
GDPR Article 5(2)
Data Security
Do you encrypt personal data in transit and at rest?
Use TLS/SSL for all data transmissions and encrypt databases containing personal data.
GDPR Article 32
Do you conduct regular security assessments or penetration tests?
GDPR requires "regular testing and evaluation" of technical and organisational security measures.
GDPR Article 32(1)(d)
Do you have access controls limiting data to those who need it (least-privilege)?
Implement role-based access controls. Only staff who need data for their role should access it.
GDPR Article 32
Breach Response
Do you have a documented data breach response procedure?
The procedure must enable you to identify, contain, assess, and notify a breach within 72 hours.
GDPR Article 33
Do you notify the supervisory authority within 72 hours of discovering a breach?
Unless the breach is unlikely to result in risk to individuals, you must notify the relevant Data Protection Authority.
GDPR Article 33
Do you maintain a breach register documenting all incidents?
Record all breaches, including those that do not require notification, with details of the event, impact, and response.
GDPR Article 33(5)
Third-Party Processors
Do you have signed Data Processing Agreements (DPAs) with all processors?
Any vendor that processes personal data on your behalf must sign a GDPR-compliant DPA. This includes SaaS tools, email platforms, and cloud providers.
GDPR Article 28
Do you conduct due diligence on processors' security practices?
Review processors' security certifications (ISO 27001, SOC 2) and their own data protection policies.
GDPR Article 28(1)
International Transfers
If you transfer data outside the EU/EEA, do you have a valid transfer mechanism?
Valid mechanisms include Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules (BCRs).
GDPR Articles 44–49
Privacy by Design
Do you conduct Data Protection Impact Assessments (DPIAs) for high-risk processing?
DPIAs are mandatory before processing that is likely to result in high risk, such as large-scale profiling or sensitive data processing.
GDPR Article 35
Do you apply data minimisation — collecting only what is necessary?
Collect only the personal data required for the specific purpose. Do not collect data "just in case".
GDPR Article 5(1)(c)
Do you have a privacy champion or Data Protection Officer (DPO) responsible for GDPR compliance?
A DPO is mandatory for public authorities and organisations that process data at scale or process special categories of data.
GDPR Articles 37–39
How to use GDPR Compliance Checklist
Score your business against 25 GDPR requirements.
1
Work through all 25 questions across 8 GDPR categories. Answer Yes, Partial, or No for each.
2
Once all questions are answered, click Generate GDPR Compliance Report.
3
Review your score and grade, download the gap-analysis report, and use it to prioritise compliance actions.